WPHardening is a tool to fortify the security of a WordPress installation.
Installation
Installing WPHardening requires you to execute one console command:
$ pip install -r requirements.txt
Usage:
$ python wphardening.py -h
__ _______ _ _ _ _
\ \ / / __ \| | | | | | (_)
\ \ /\ / /| |__) | |__| | __ _ _ __ __| | ___ _ __ _ _ __ __ _
\ \/ \/ / | ___/| __ |/ _` | '__/ _` |/ _ \ '_ \| | '_ \ / _` |
\ /\ / | | | | | | (_| | | | (_| | __/ | | | | | | | (_| |
\/ \/ |_| |_| |_|\__,_|_| \__,_|\___|_| |_|_|_| |_|\__, |
__/ |
Fortify the security of any WordPress installation. |___/
Caceria de Spammers - http://www.caceriadespammers.com.ar
Usage: python wphardening.py [options]
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-v, --verbose Active verbose mode output results
--update Check for WPHardening latest stable version
Target:
This option must be specified to modify the package WordPress.
-d DIRECTORY, --dir=DIRECTORY
**REQUIRED** - Working Directory.
--load-conf=FILE Load file configuration.
Hardening:
Different tools to hardening WordPress.
-c, --chmod Chmod 755 in directory and 644 in files.
-r, --remove Remove files and directory.
-b, --robots Create file robots.txt
-f, --fingerprinting
Deleted fingerprinting WordPress.
-t, --timthumb Find the library TimThumb.
--chown=user:group Changing file and directory owner.
--wp-config Wizard generated wp-config.php
--plugins Download Plugins Security.
--proxy=PROXY Use a HTTP proxy to connect to the target url for
--plugins and --wp-config.
--indexes It deny you to display the contents of directories.
--minify Compressing static file .css and .js
--malware-scan Malware Scan in WordPress project.
--6g-firewall 6G Firewall.
--rest-api Disable REST API.
Miscellaneous:
-o FILE, --output=FILE
Write log report to FILE.log
Examples:
- Check a WordPress Project
Before using the tool, we must ensure that our working directory is WordPress.
$ python wphardening.py -d /home/path/to/wordpress -v
- Change permissions
This option is to add the correct permissions to files and directories.
$ python wphardening.py -d /home/path/to/wordpress --chmod -v
- Remove files that are not used
Part of the fortification of any system is to remove those files, directories or components required.
$ python wphardening.py -d /home/path/to/wordpress --remove -v
- Create your robots.txt file
WordPress default does not incorporate the robots.txt file with this option poemos customize our robots.txt
$ python wphardening.py -d /home/path/to/wordpress --robots -v
- Remove all fingerprinting and Version
$ python wphardening.py -d /home/path/to/wordpress --fingerprinting -v
- Check a TimThumb library
$ python wphardening.py -d /home/path/to/wordpress --timthumb -v
- Create Index file
This file is created as a way to avoid sailing in a directory.
$ python wphardening.py -d /home/path/to/wordpress --indexes -v
- Download Plugins security
The following is a list of the most commonly used security plugins that you can download automatically:
- AntiVirus
- Bad Behavior
- Block Bad Queries
- Exploit Scanner
- Latch
- NinjaFirewall
- Simple History
- Stream
- WP Security Scan
- WP-DBManager
- WPS Hide Login
$ python wphardening.py -d /home/path/to/wordpress --plugins
- Wizard generated wp-config.php
This command automatically creates a file called wp-config-wphardening.php which can then rename it.
$ python wphardening.py -d /home/path/to/wordpress --wp-config
- 6G Firewalls
$ python wphardening.py -d /home/path/to/wordpress --6g-firewall
- Disable REST API
$ python wphardening.py -d /home/path/to/wordpress --rest-api
- WPHardening update
With this option, you can always have the latest version of WPHardening.
$ python wphardening.py --update
- Use all options
$ python wphardening.py -d /home/path/to/wordpress -c -r -f -t --wp-config --indexes --plugins --6g-firewall --rest-api -o /home/user/wphardening.log
